1. Field of the Invention
Embodiments of the present invention relate to software applications and security.
2. Background Art
It is important for computer systems to run untrusted software securely. Untrusted code, such as spyware, viruses or adware, may be received through the Internet and executed on a computer system. During execution, these software processes may be able to unsafely access and use system resources. Executing untrusted software can compromise or destroy an unprotected computer. Untrusted software may also compromise the privacy of a computer's users.
The security of a computer process can be handled in different ways. For example, some operating systems, such as WINDOWS VISTA, presently handle security through the use of tokens. A token may encapsulate a user identity and specific rights allowed or denied to that user. A token is like a badge that identifies the bearer. Each object of an operating system is annotated with a list of users or groups that can access the object. An operating system will create a handle based on an object and a token when a desired action is granted. The handle will include the user's identity and an action the user may perform. A system may look at this handle, determine if a user can take a requested action, and then either allow or deny the requested action. Tokens may be altered to provide a limited set of privileges. These limitations may leave a process with access to either too many or too few resources.
Running software processes securely is more difficult in multi-threaded systems. Multi-threaded systems allowed processes to spawn sub processes, or threads, that can be run concurrently. A process may limit the actions its threads may take. To limit the rights of its threads or child processes, a process can copy and alter the original process token so that a more restrictive token can be attached to each thread. These token copies could be altered to restrict certain actions by the thread.
Even with these precautions, applications could use holes in security or the threading environment to access sensitive portions of the computer. Sandboxing has been developed to secure these holes. Sandboxing may be defined as a mechanism which allows a host system to execute guest code in a confined environment, so that the guest code can only affect the host system according to a defined policy. Sandboxing may be performed in kernel mode or user mode.
Kernel mode sandboxing may modify an operating system by adding additional device drivers. These device drivers provide additional privilege checking to restrict guest code from affecting the host system. Because this method deals with manipulating the operating system directly, it does not require a lot of overhead or significantly affect the performance of applications. Kernel mode sandboxing also allows users to run any application without requiring application code to be rewritten. However, kernel mode sandboxing is highly risky. A designer must write or rewrite portions of the operating system. This is a highly sensitive area, and any mistake can have drastic consequences.
In a few cases, sandboxing may take place in user mode. User mode sandboxing may be implemented as a program that can be loaded by any user, not just a privileged user. User mode sandboxing may include dynamic translation. Dynamic translation involves rewriting instruction code at execution time into a safe form before executing the code. Dynamic translation is performed, for example, with VMWARE. Because the operating system is not reconfigured or added to, user mode sandboxing is safer than kernel mode. However, user mode sandboxing reduces application performance because of the overhead involved in rewriting code during execution.
User mode sandboxing may also include segmentation. VX32 is a user-level sandbox which uses segmentation and dynamic translation. (Bryan Ford and Russ Cox, “Vx32: Lightweight, User-level Sandboxing on the x86”, Massachusetts Institute of Technology, PDOS, 2008. Segmentation is implemented by cordoning off memory access for specific applications. This implementation of sandboxing requires rewriting the software code depending on the application and the operating system. It is also limited in the security it can provide. While memory cannot be accessed outside of specified regions, this system only provides memory protection. Applications may still spawn other processes and have access to other system resources.
Many network applications, such as browsers, run guest code from other sources. These applications need to be restricted in order to secure the system. But in order to start an application, the application must be granted certain access to memory and system resources. Once the application is granted access and started, that access may not be further restricted due to present system limitations. These limitations have been used by untrusted and malicious code to run unauthorized code.
What is needed is a way to run guest code in a multithreaded system with more process security and with less performance loss.